feat: add WebAuthN support for passwordless login and 2fa (#966)

* at least registration prompt works * in memory test for login * buttons to start webauthn process * begin eventstore impl * begin eventstore impl * serialize into bytes * fix: u2f, passwordless types * fix for localhost * fix script * fix: u2f, passwordless types * fix: add u2f * fix: verify u2f * fix: session data in event store * fix: u2f credentials in eventstore * fix: webauthn pkg handles business models * feat: tests * feat: append events * fix: test * fix: check only ready webauthn creds * fix: move u2f methods to authrepo * frontend improvements * fix return * feat: add passwordless * feat: add passwordless * improve ui / error handling * separate call for login * fix login * js * feat: u2f login methods * feat: remove unused session id * feat: error handling * feat: error handling * feat: refactor user eventstore * feat: finish webauthn * feat: u2f and passwordlss in auth.proto * u2f step * passwordless step * cleanup js * EndpointPasswordLessLogin * migration * update mfaChecked test * next step test * token name * cleanup * attribute * passwordless as tokens * remove sms as otp type * add "user" to amr for webauthn * error handling * fixes * fix tests * naming * naming * fixes * session handler * i18n * error handling in login * Update internal/ui/login/static/i18n/de.yaml Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * Update internal/ui/login/static/i18n/en.yaml Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * improvements * merge fixes * fixes * fixes Co-authored-by: Fabiennne <fabienne.gerschwiler@gmail.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
2025-12-06 05:52:18 +00:00 · 2020-12-02 17:00:04 +01:00
parent 184e79be97
commit 300ade66a7
115 changed files with 3383 additions and 740 deletions
--- a/internal/user/model/user_human.go
+++ b/internal/user/model/user_human.go
@@ -1,9 +1,11 @@
 package model

 import (
-	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"bytes"
 	"time"

+	iam_model "github.com/caos/zitadel/internal/iam/model"
+
 	"github.com/caos/zitadel/internal/crypto"
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
 )
@@ -14,12 +16,16 @@ type Human struct {
 	*Email
 	*Phone
 	*Address
-	ExternalIDPs []*ExternalIDP
-	InitCode     *InitUserCode
-	EmailCode    *EmailCode
-	PhoneCode    *PhoneCode
-	PasswordCode *PasswordCode
-	OTP          *OTP
+	ExternalIDPs       []*ExternalIDP
+	InitCode           *InitUserCode
+	EmailCode          *EmailCode
+	PhoneCode          *PhoneCode
+	PasswordCode       *PasswordCode
+	OTP                *OTP
+	U2FTokens          []*WebAuthNToken
+	PasswordlessTokens []*WebAuthNToken
+	U2FLogins          []*WebAuthNLogin
+	PasswordlessLogins []*WebAuthNLogin
 }

 type InitUserCode struct {
@@ -53,7 +59,7 @@ func (u *Human) IsInitialState() bool {
 }

 func (u *Human) IsOTPReady() bool {
-	return u.OTP != nil && u.OTP.State == MfaStateReady
+	return u.OTP != nil && u.OTP.State == MFAStateReady
 }

 func (u *Human) HashPasswordIfExisting(policy *iam_model.PasswordComplexityPolicyView, passwordAlg crypto.HashAlgorithm, onetime bool) error {
@@ -105,3 +111,75 @@ func (u *Human) GetExternalIDP(externalIDP *ExternalIDP) (int, *ExternalIDP) {
 	}
 	return -1, nil
 }
+
+func (u *Human) GetU2F(webAuthNTokenID string) (int, *WebAuthNToken) {
+	for i, u2f := range u.U2FTokens {
+		if u2f.WebAuthNTokenID == webAuthNTokenID {
+			return i, u2f
+		}
+	}
+	return -1, nil
+}
+
+func (u *Human) GetU2FByKeyID(keyID []byte) (int, *WebAuthNToken) {
+	for i, u2f := range u.U2FTokens {
+		if bytes.Compare(u2f.KeyID, keyID) == 0 {
+			return i, u2f
+		}
+	}
+	return -1, nil
+}
+
+func (u *Human) GetU2FToVerify() (int, *WebAuthNToken) {
+	for i, u2f := range u.U2FTokens {
+		if u2f.State == MFAStateNotReady {
+			return i, u2f
+		}
+	}
+	return -1, nil
+}
+
+func (u *Human) GetPasswordless(webAuthNTokenID string) (int, *WebAuthNToken) {
+	for i, u2f := range u.PasswordlessTokens {
+		if u2f.WebAuthNTokenID == webAuthNTokenID {
+			return i, u2f
+		}
+	}
+	return -1, nil
+}
+
+func (u *Human) GetPasswordlessByKeyID(keyID []byte) (int, *WebAuthNToken) {
+	for i, pwl := range u.PasswordlessTokens {
+		if bytes.Compare(pwl.KeyID, keyID) == 0 {
+			return i, pwl
+		}
+	}
+	return -1, nil
+}
+
+func (u *Human) GetPasswordlessToVerify() (int, *WebAuthNToken) {
+	for i, u2f := range u.PasswordlessTokens {
+		if u2f.State == MFAStateNotReady {
+			return i, u2f
+		}
+	}
+	return -1, nil
+}
+
+func (u *Human) GetU2FLogin(authReqID string) (int, *WebAuthNLogin) {
+	for i, u2f := range u.U2FLogins {
+		if u2f.AuthRequest.ID == authReqID {
+			return i, u2f
+		}
+	}
+	return -1, nil
+}
+
+func (u *Human) GetPasswordlessLogin(authReqID string) (int, *WebAuthNLogin) {
+	for i, pw := range u.PasswordlessLogins {
+		if pw.AuthRequest.ID == authReqID {
+			return i, pw
+		}
+	}
+	return -1, nil
+}